- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Purpose

How to configure authentication with Active Directory using SSL.

Prerequisite

Before everything else, make sure that the non-ssl (port 389) AD authentication is working, by following that article.

Resolution

1. Review the following article to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference from the article, is that in the "Active Directory Settings", we need to check the "Use SSL:" tick box:

That will create a file ad.crt. Copy the file (ad.crt) back to the AD server.

(If you are purchasing an SSL certificate, send the CSR to your vendor and they will generate and sign the certificate for you. If you have already purchased an SSL certificate, you can skip this step.)

7. Accept the Certificate.
After the ad.crt file has been copied to the AD server, run the following command to accept it, using the "certreq" utility:

certreq -accept ad.crt

This will accept the cert in the Windows certificate store and it will be available to those services and products that make use of the Windows certificate store. These products include but are not limited to: IIS, Exchange, Active Directory (LDAPS), Terminal Services and Microsoft Management Console (MMC).

8. Install the certificate.

From Step 3, open the "Certificates snap-in", expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt".

9. Restart AD server

After installing the certificate you must restart the AD server.

Check

1. Go back to that article, and check the SSL tick box (from step 1). Then proceed forward until you reach the window to test the authentication. The authentication should succeed.

2. The next test includes the ldp.exe utility located on the DC. Click Start > Run > type ldp.exe and open it. At top left, click on "Connection" > "Connect...".

Make sure the port is 636, the SSL check box is ticked and you type the FQDN of the AD server.

If the "Connect" is successful, the following output is produced:

Then, you can Bind to AD.

You can choose any of the authentication methods. In my case I authenticated as "aduser" user: